They have an MCP end-point, they want to market to both AI proponents and critics -- that's about what I learnt from scanning the article.
Big title, little content.
The thing is Fastmail can't speak with absolute authority about email because Fastmail is not email. It's subordinate to it.
It's important that they're secure.
Is it possible to have E2E encryption on emails?
You literally have a proton email address on your profile.
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
Phew.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
But great idea, what i added is the opposite direcrection: showing if a sender used spy pixel. There I used public spylists I found.
Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
Nice. ;)
Also there's a spectrum from Gmail to Fastmail to AWS SES to Wireguard on a VPS that's tunneling to a server running at home. And when the people from both extremes of the spectrum interact they look at each other as if they're from other planets.
It's the same for Auth stuff I believe, almost a decade of generic advice like "don't roll your own auth" has lead some people to file it into a tidy corner of their mind labelled "DON'T TOUCH" so most people end up gawking and staring in awe when someone does so and lose all nuance along the way. To be clear I'm advocating for learning how stuff works and playing around with it (time permitting) instead of simply delegating it to the technical equivalent of Higher Powers in perpetuity.
Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?
https://www.ietf.org/archive/id/draft-adams-arc-experiment-c...
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
Gmail Thinks I'm Stupid, So I Left: https://news.ycombinator.com/item?id=48375016
Self hosting is hard (which is why I just use Fastmail now), but it's not because of that.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
In time there will be a reckoning though. The geopolitical instability at the moment will see the end of the US dominant services used outside of the US so they will have to work out how to make a not small but balkanised email provider model work again.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
Of all the stuff Gmail imposes on the rest of the world, requiring proper sender authentication was a good thing and we've helped thousands of senders set up proper authentication because of it.
Forcing the issue finally got rid of the ridiculous practice of ignoring SPF/DKIM failures and just setting the DMARC record to p=none.
None of this changes the fact that Gmail is a problem for so many other reasons, but this specific imposed change was a net benefit for the entire email ecosystem.
Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.
That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
I get a lot of convincing emails to linkedin@hnrobert42.com. As well as zynga, wework, etc.
sverhagen•1h ago
iLoveOncall•1h ago
This will literally never happen. Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
The security layers are also only on the sender part, not on the receiver part, which banks care a lot more about.
superice•1h ago
I'll settle for a brief edit (not retraction!) window after sending though, say 5 minutes tops.
Edit (I realize the irony): banks of course won't give a hoot about the receiver, the power dynamic is inherently not equal.
Hizonner•35m ago
"Need".
LoganDark•1h ago
Symbiote•1h ago
The messages are usually PDFs, which isn't great for accessibility, e.g. using a translation tool.
jasode•1h ago
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
LoganDark•29m ago
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
thefounder•1h ago
Angostura•1h ago
fc417fc802•57m ago
coldtea•52m ago
thefounder•25m ago
jen729w•1h ago
This is kinda what 'masked email' services like Fastmail's – of which I am a delighted customer – do.
Until you've known the comfort of creating an address; giving it to a service; deciding that you want to end your relationship with them; just deleting that address, without changing your mailbox or infrastructure or archives or anything else … it's kinda life changing. I recommend everyone try it.
Also, the chances of a phisher trying to get my BigBank details by sending mail to lonely.chicken6382@spuriously-named-and-unused-other-than-for-email-domain.com are … well, it seems unlikely.
I've never felt more secure. For real.